At present, cloud computing has become an integral part of almost every enterprise IT strategy and organization structure, so the corresponding operating cost is being transferred to the third party, while the third party manages and maintains the internal service of the enterprise.
Cloud computing service providers are also offering a wide range of services, including payroll, recruitment, performance management, training, and storage. As the average cost of computing continues to decrease, the demand for technical expertise and related resources is growing, mainly due to the interconnected needs of service consumers and service providers.
Because of the impact of cloud computing, security practitioners across industry lines are uniquely positioned to be different from their IT peers. Since the latter's scope of control and responsibility is often limited to corporate offices and data centers, security practitioners must also consider third-party networks, often referred to as cloud computing, and devices beyond their control. Whether you're a chief information security officer who manages a technical team for security professionals, or a security engineer who is responsible for ensuring the safety of key assets in your business, mastering cloud computing knowledge has become a fundamental quality requirement for successful protection of enterprise users, data, and infrastructure.
Of course, before security professionals protect their cloud-related assets, they may need to answer a seemingly very simple question. That is, what is cloud computing? In this article, we'll start with the existing definition of cloud computing and then discuss the gaps between these cloud definitions from the perspective of the corporate security professionals.
Reassess the current definition of cloud computing
While we're talking about a broad definition of cloud computing, it's important for security professionals to have a solid grasp of cloud computing technology rather than just vague concepts. The Institute of National Standards and Technology (NIST) actually provides a useful definition of cloud computing, as follows: "Cloud computing is a model that can easily access a configurable pool of public computing resources (for example, networks, servers, storage devices, applications, and services) as required." These resources can be quickly delivered and published, and this pattern can also be implemented to minimize administrative costs or service provider interference. "NIST also breaks the essential features, service patterns, and deployment patterns of the cloud computing model. The following table gives an overview of the pattern:
Some analysts and suppliers have given a narrow definition of cloud computing, which is an upgraded version of Utility computing (essentially a virtual server available on the Internet). Other security people have extended this narrowly defined view that any resource used outside the corporate firewall is "cloud computing" and even includes conventional outsourcing services.
These definitions are useful, but we have also found some clear gaps in the definition. For example, one of the most revolutionary changes in the business environment in recent years BYOD (using your own device) is out of our discussion. By implementing BYOD policies, traditional consumers and/or private networks, such as homes or small businesses, can be extended to large enterprise settings. The home network also has all the elements of the NIST cloud definition and is outside the corporate firewall, but does security practitioners see the home network as part of cloud computing?
In this case, the distinction between cloud computing and BYOD and home networks is based on location, scope of control and contractual obligations. Here, the service model defined by NIST is a certain degree of obligation through the contract, while BYOD relies on the user's own system to run. For example, if my home network is compromised, then I am not obligated to report damage information to my employer, even if my device is accessing the company's assets over a VPN connection. If my employer's network is compromised, I will not be liable for damage or damage notification, nor will my employer know who has visited our home computer network.
To provide comprehensive protection, IT security teams must also consider these extended employee-owned infrastructure--we call it the consumer--service (CaaS) infrastructure--and, just as importantly, default to untrusted, and should be based on this default assumption to develop relevant enterprise control and response measures. These CAAS infrastructures will require a security posture similar to the implementation of other hybrid cloud computing.
As the name suggests, a deep or dark network will have another gap between these cloud definitions. Not applicable to modern search engines, the Internet in this area is the food and clothing of security workers, but also the bane of the impact of destructive molecules. The deep network structure of covert channels and encrypted distributed file systems, which are extended on demand at a smaller cost, make it quite confusing. This threat, the mode of Service (Taas), can be extended from the attacker's home or compromised infrastructure to provide malicious capacity and to overcome vulnerable targets with traffic, regardless of geographic area or industry.
For the purposes of this discussion, we must also consider lazy cloud computing, which is the last security gap in our cloud definition. Consider it because we have little influence over the laws and regulations that govern it, and it includes entities such as government, police, and statutes. Although we have limited control over them, companies must adhere to (or successfully circumvent) these inert entities or face the reality of being removed from the Internet.
The internet (such as registrars, ISPs, telecom entities, etc.) is a hyper-aggregation system that contains subnet systems in a mutually inclusive relationship: they are absolutely interdependent relationships. Therefore, we must consider the entire system to ensure end-to-end protection. The following is the NIST Cloud chart, which has been updated to reflect a complete cloud computing system filled with blanks.
Check cloud Activity
As we discussed earlier, cloud computing is usually a vague concept, and even a respectable large institution like NIST can be blank. However, according to the update definitions we provide, security practitioners should consider reassessing their IT environment and some of the issues we mentioned earlier. We hope that the new definitions we provide provide an introspective and insightful view of the enterprise infrastructure for the protection that most businesses need.